Firefox 39 (ETA 30th June) and Chrome 45 (ETA sometime in late August) introduce new security features which will prevent access to websites which use older encryption ciphers such as the default Diffie-Hellman.
This can prevent access to the CaféX WBF (Web Plugin Framework) e.g. when you browse to https://your-server:8443/web_plugin_framework/webcontroller/ you get the error similar to:
Server has a weak, ephemeral Diffie-Hellman public key
Note: This will also affect service URLs that are not behind a reverse proxy, e.g. services hosted in AWS with no reverse proxy protecting them.
Remove the older cipher keys from the cipher suites used by FAS.
1. Make a back up of your fas.properties file
- cd /opt/cafex/FAS-2.1*/domain/configuration
- cp fas.properties fas.bak-<date>
2. Edit fas.properties and remove the weak encryption ciphers
- vi fas.properties and make the following changes to the jsse cipher suites:
3. Restart FAS from the command line
- service fas restart